You can configure both dynamic NAT and 1:1 static NAT on the service side of a vEdge router. To do so, you create a NAT pool interface within a service VPN on the router, and then you configure a centralized data policy on the vSmart controller. This policy directs data traffic with the desired prefixes to the service-side NAT. Finally, you configure either dynamic NAT or static NAT on the desired NAT pool interfaces.

Create a NAT Pool Interface

On the vEdge router, you create a NAT pool interface. This interface NATs data traffic that is directed to it and then forwards the traffic towards its destination.

To create a NAT pool interface:

In the desired VPN, create the NAT pool interface:vEdge(config-vpn)# interfacenatpoolnumber The pool can have a number from 1 through 31. You refer to this NAT pool number in the action portion of the centralized data policy that you configure to direct data traffic to the pool.

Configure the NAT pool interface's IP address:vEdge(config-natpool)# ip addressprefix/length The length of the IP address determines the number of addresses that the router can NAT at the same time. Note, however, that a vEdge router can only NAT a maximum of 250 IP addresses.

Enable the interface:​vEdge(config-natpool)# no shutdown

On a NAT pool interface, you can configure only these two commands (ip address and shutdown/no shutdown) and the nat command, discussed below. You cannot configure any of the other interface commands.

Create a Data Policy To Direct Data Traffic to a Service-Side NAT

To direct data traffic from the service side of the vEdge router to the NAT, you create a centralized data policy on the vSmart controller. In the match condition of the policy, you identify the data traffic that you want to direct to the NAT. One way to do this is to match on the IP prefixes of the data traffic. In the action condition of the policy, you direct the matching traffic to one of the number NAT pools. Finally, you apply the policy to the service side at the desired overlay network sites.

To create a data policy to direct data traffic to a service-side NAT:

Configure the lists required for the data policy. You must configure a list of VPN and sites. If you are matching on data prefixes, configure a data prefix list.vSmart(config-policy-lists)# vpn-listlist-name vSmart(config-policy-vpn-list)# vpnvpn-id

Configure Dynamic NAT

By default, when you configure a vEdge router to act as a NAT, the router performs dynamic network address translation. In this capacity, the router can perform dynamic NAT for up to 250 IP addresses across NAT pools.

To configure dynamic NAT:

In the desired VPN, create the NAT pool interface:vEdge(config-vpn)# interfacenatpoolnumber
The pool can have a number from 1 through 31. You refer to this NAT pool number in the action portion of the centralized data policy that you configure to direct data traffic to the pool.

Configure the IP address prefix for the NAT pool interface:vEdge(config-natpool)# ip addressprefix/length
The prefix ength determines the maximum number of addresses that the router can NAT at the same time. For example, for a /30 prefix length, the router can perform translation on four addresses at a time.

Enable the interface:​vEdge(config-natpool)# no shutdown

Enable dynamic NAT:vEdge(config-natpool)# nat

As mentioned above, the length of the IP address determines the number of IP addresses that the router can NAT at the same time, up to a maximum of 250 across all NAT pools. When all available IP addresses have been used, the router reuses the last IP address multiple times, changing the port number. The port number is chosen at random from the nonreserved port numbers, that is, those port numbers in the range 1024 through 65535. For example, if the IP address is 10.1.17.3/30, the vEdge router can uniquely NAT four IP addresses. Let's say that the router maps the fourth IP address to 10.1.20.5, or more specifically to 10.1.20.5:12346 if we include the port number. It would then map the fifth IP address to the same IP address, but with a different port, such as 10.1.20.5:12347. To have the router drop packets when no more IP addresses are available for the translation process, include the following command:

Configure Static NAT

You can configure a vEdge router acting as a NAT to perform static network address translation (also called 1:1 static NAT) of source IP addresses. You can translate service-side source addresses before sending packets out to the overlay network, and you can translate external addresses before forwarding packets to the service-side network. You can also translate service-side source addresses before sending packets out to another service-side LAN connected to the same vEdge router.

For packets originating on the service side of a vEdge router, you can statically map the packets' source IP address to another IP address. You do this by creating a NAT pool interface within a service-side VPN. For this interface, you configure a pool of IP addresses to use for network address translation, and then you configure the static address mappings. When the address pool is depleted, you can choose to drop packets that have unmapped source IP addresses. (Dropping these packets is not the default behavior.)

For packets exiting a transport tunnel from a vEdge router, you can statically map the packet's source IP address to another IP address, generally to an address that is routable within the service-side network. You configure this in the same way as for NATing packets originating on the service side.

You must create separate NAT pool interfaces to translate the source IP addresses for service-side packets and for tunnel packets.

Across all NAT pools, a vEdge router can NAT a maximum of 254 source IP addresses. This is the number of addresses in a /24 prefix, less the .0 and .255 addresses. You cannot configure translation for .0 and .255 addresses.

This section explains how to configure static NAT for translating service-side source IP addresses and for translating external (transport-side) IP addresses. The two procedures are very similar, but we describe them separately for clarity.

Static NATing of Service-Side Addresses

To configure the static NATing of service-side source IP addresses:

In the desired VPN, create the NAT pool interface:vEdge(config-vpn)# interfacenatpoolnumber The pool can have a number from 1 through 31. You refer to this NAT pool number in the action portion of the centralized data policy that you configure to direct data traffic to the pool.

Enable the NAT pool interface:​vEdge(config-natpool)# no shutdown

Configure the IP address prefix for the NAT pool interface:vEdge(config-natpool)# ip addressprefix/length The prefix length determines the maximum number of source IP addresses that can be NATed in the NAT pool. For example, for a /30 prefix length, a maximum of four source IP addresses can be NATed.

By default, all IP addresses are translated to an address in the pool of NAT addresses configured in the ip address command. The addresses are mapped one to one until the address pool is depleted. Then, the first address is used multiple times, and the port number is changed to a random value between 1024 and 65535. This reuse of the last address is called overloading. Overloading effectively implements dynamic NAT. To configure static NAT, include the no overload command to enforce the mapping of a single source IP address to a single translated IP address:vEdge(config-nat)# no overload With this command, when the maximum number of available IP addresses available to be translated is reached, packets with other IP addresses are dropped.

Set the direction in which the NAT pool interface performs static mapping to inside to statically translate service-side IP source addresses:vEdge(config-nat)# directioninside The default direction is inside. You can configure only a single direction for each NAT pool interface. That is, a single NAT pool interface can perform static address translation either for service-side source addresses (inside) or for external source addresses (outside), but not for both.

Define the static address translations for service-side source IP addresses:vEdge(config-nat)# static source-ipip-address1translate-ipip-address2insideip-address1 is the source IP address of a device or branch router on the service side of the vEdge router.ip-address2 is the translated source IP address. This is the address that the vEdge router places in the source field of the packet's IP header when transmitting the packet out the transport network. Because the NAT pool direction is inside, this IP address must be in the interface's IP address range. This is the IP address prefix configured in the ip address command. The inside option indicates that it is a service-side, or inside, address that is being statically translated. The maximum number of service-side source IP addresses that you can statically NAT is equal to the number of addresses available in the interface's prefix range. For example, for a /30 prefix length, you can configure a maximum of four static NAT mappings. Once the NAT static address mapping is installed in the router's NAT table, the router can perform source IP address translation in both directions—when a service-side packet is being transmitted into the transport network, and when an external packet (addressed to ip-address2) arrives at the router.

Optionally, define the static address translations for transport-side source IP addresses:vEdge(config-nat)# static source-ipip-address1translate-ipip-address2outsideip-address1 is the source IP address of an external device or router, that is, of a device at a remote site.ip-address2 is the translated source IP address. This is the address that the vEdge router places in the source field of the packet's IP header before forwarding the traffic to the service-side network. The outside option indicates that an external IP address is being statically translated. Because the direction of the NAT pool is inside, the pool of IP addresses set aside for NATing is used only to NAT service-side source IP addresses. This means that here, you can configure any number of external static address translations. As a corollary of NATing an external IP address, when a service-side device responds to that external IP address, it simply takes the source IP address from the received packet and places it into the destination IP field in the IP header.

Static NATing of External Addresses

To configure the static NATing of external source IP addresses:

In the desired VPN, create the NAT pool interface:vEdge(config-vpn)# interfacenatpoolnumber The pool can have a number from 1 through 31. You refer to this NAT pool number in the action portion of the centralized data policy that you configure to direct data traffic to the pool.

Configure the IP address prefix for the NAT pool interface:vEdge(config-natpool)# ip addressprefix/length The prefix length determines the maximum number of IP addresses that the router can NAT at the same time in that NAT pool. For example, for a /30 prefix length, the router can perform translation on four addresses at a time.

By default, all IP addresses are translated to an address in the pool of NAT addresses configured in the ip address command. The addresses are mapped one to one until the address pool is depleted. Then, the last address is used multiple times, and the port number is changed to a random value between 1024 and 65535. This reuse of the last address is called overloading. Overloading effectively implements dynamic NAT. To configure static NATing of external addresses, you must include the no overload command to enforce the mapping of a single source IP address to a single translated IP address, because the software does not support overloading on the outside NAT pool interface:vEdge(config-nat)# no overload With this command, when the maximum number of available IP addresses available to be translated is reached, packets with other IP addresses are dropped.

Set the direction in which the NAT pool interface performs static mapping to outside to statically translate external IP source addresses:vEdge(config-nat)# direction outside The default direction is inside. You can configure only a single direction for each NAT pool interface. That is, a single NAT pool interface can perform static address translation either for service-side source addresses (inside) or for external source addresses (outside), but not for both.

Define the static address translations for external source-IP addresses:vEdge(config-nat)# static source-ipip-address1translate-ipip-address2outsideip-address1 is the source IP address of a remote device or router on the transport side of the vEdge router.ip-address2 is the translated source IP address. This is the address that the vEdge router places in the source field of the packet's IP header when forwarding the packet into the service-side network. Because the NAT pool direction is outside, this IP address must be in the interface's IP address range. This is the IP address prefix configured in the ip address command. The outside option indicates that the address that is being statically translated is an external, or outside, address. The maximum number of external source IP addresses that you can statically NAT is equal to the number of addresses available in the interface's prefix range. For example, for a /30 prefix length, you can configure a maximum of four static NAT mappings. As a corollary of NATing an external IP address, when a service-side device responds to that external IP address, it simply takes the source IP address from the received packet and places it into the destination IP field in the IP header.